R315. Provide processed data information

This document contains the details of the security requirements related to the management and protection of data privacy in the organization. This requirement establishes the importance of informing the users about what personal information is being processed.

Requirement

The system must provide information about the personal data that it processes.
Additionally, this information should be presented to the user before
requesting their consent for its collection or processing.

Description

Systems usually request information from the users,
obtain it from third parties or collect it based on their interactions with the
application.
They should have a mechanism that allows users to find out about the following
regarding the personal information that they process:

The purpose of the processing of the data.

The categories of processed data.

The actors who will have access to the information.

If possible, the time for which the data will be managed/processed.

The existence of the possibility to request erasure or rectification.

If the data was obtained from a third party, information about the third
party.

Furthermore, the data should be presented in a clear manner,
in a structured format and using an easy to understand language.

Exceptions

If the system is able to demonstrate that it is not possible to individually
identify the users based on the information collected from them,
this requirement is not applicable.

The processing of the personal information might have scientific or
historical research purposes or statistical purposes.
If the system properly safeguards this information and if complying with this
requirement seriously impairs those purposes,
this requirement is not applicable.

The processing of the personal information might have archiving purposes
in the public interest.
If the system properly safeguards this information and if complying with this
requirement seriously impairs those purposes,
this requirement is not applicable.

GDPR. Art. 20: Right to data portability.(1).
The data subject shall have the right to receive the personal data concerning
him or her,
which he or she has provided to a controller,
in a structured, commonly used and machine-readable format.